Saturday, October 11, 2008

Off Topic: Palin Booed Off The Ice In Philly

Electronic Voting: Our Hackable Democracy

Want to be sure that your vote won't be miscounted, redirected or sabotaged in November's election? If you live in New Jersey, Dick Kemmerer suggests you might want to deliver your vote to the county clerk--written on a paper absentee ballot--by hand.

"If I lived in New Jersey and had to choose between a voting machine and walking in a paper ballot," he says, "I'd take paper."

Kemmerer, a professor of computer science at the University of California Santa Barbara, knows too much about New Jersey's alternative: the embattled Sequoia touchscreen voting systems used throughout the state.

Last year, he participated in California's "Top-to-Bottom" review of voting machines that found critical security vulnerabilities in the technologies of electronic voting companies Sequoia, Premier Election Solutions and Hart InterCivic--vulnerabilities that the researchers said could be used to prevent machines from accepting votes, change voting counts and, in some cases, even identify voters.

''This fellow Anderson and his ilk have minds that are lower than the regurgitated filth of vultures,'' Hoover typed on a memo dated April 30, 1951. It is one of hundreds from FBI files on Anderson.

Anderson was a Hoover critic. He once wrote that the aging director, running the bureau well into his 80s, should have resigned a decade before. Other journalists suggested the same, but Anderson delivered that and a long career's worth of critical assessments of the bureau in a blunt style that enraged FBI officials.

Documents turned over to The Associated Press under the Freedom of Information Act almost three years after Anderson's death include copies of his columns with critical notes in the margins, summaries of his movements while under surveillance, and FBI memos detailing efforts to find his sources who leaked information from deep inside government agencies.

The leaks fueled Anderson's Pulitzer Prize-winning column, ''Washington Merry-Go-Round,'' and helped him produce stories on scandals including Watergate and the arms-for-hostages deal known as Iran-Contra.

Confidential data on 30 million German phone users could be consulted on the Internet as a result of an error until the phone company locked access, a spokesman for Deutsche Telekom said Saturday.

Confirming a report in Monday's edition of the magazine Der Spiegel, the spokesman said on Thursday and Friday the company, Europe's leading telecommunications firm, had managed to secure the data -- including bank accounts -- relating to its clients.

The data had been accessible and easy to manipulate, he said. The company had no indication of a possible theft of the information.

CastleCops Attacker Sentenced to Prison

A Fairfield computer hacker once known as "'Silenz" and "sZ" has been sentenced to two years in prison.

United States Attorney McGregor W. Scott announced Tuesday that Gregory King, 21, of Fairfield, was sentenced to two years in federal prison and was ordered to pay $69,000 in restitution following a guilty plea to two counts of transmitting code to cause damage to a protected computer.

King reportedly admitted to using a "botnet" to conduct distributed-denial-of-service attacks against two different business Web sites - Killanet and Castlecops.

In such an attack, the hacker uses a system of malware-infected, zombie computers to flood victim computers with information and thereby disable them.

King was arrested on Oct. 1, 2007, after FBI agents raided his home and seized a laptop computer containing botnet software and references to King's different Internet monikers.

Friday, October 10, 2008

U.S. Toll in Iraq, Afghanistan

As of Friday, Oct. 10, 2008, at least 4,180 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,385 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, Oct. 10, 2008, at least 540 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.

With gas prices spiking and home values crumbling, the American dream of commuting to work from the fringes of suburbia has become an American nightmare. Many are facing a hard choice: Paying for gas or paying the mortgage. How did it come to this? It's not just about America's financial crisis; it's also about big problems with our national infrastructure. Overstressed highways and too few public transportation options are wreaking havoc on people's lives and hitting the brakes on our already-stretched economy.

This week, NOW on PBS takes a close-up look at our inadequate transportation network and visits some people paying a high price—in both dollars and quality of life—just to get to work. Do we have the means to modernize both our infrastructure and our lifestyles?

UK: Record Growth in DNA Database - Via Stealth

Britain's DNA database is being built by stealth, critics warned, as the Government admitted record numbers of profiles were added last year.

Many of the 722,464 new samples were taken by police from people who have never been convicted of – or even charged with – a criminal offence.

Britain now has a DNA database holding nearly five million samples – by far the largest in the world. Anyone picked up for an arrestable offence has to provide a DNA sample.

The National Policing Improvement Agency (NPIA) disclosed yesterday that police took 722,464 samples in 2006-07, compared with 700,825 in 2005-06 and 520,757 in 2004-05. The total number of DNA profiles held is estimated to be about 4.8 million. Some 350,000 of those taken last year were from children aged 14 and under.

UK: Chip and Pin Scam 'Has Netted Millions From British Shoppers'

Dr Joel Brenner, the US National Counterintelligence Executive, warned that hundreds of chip and pin machines in stores and supermarkets across Europe have been tampered with to allow details of shoppers' credit card accounts to be relayed to overseas fraudsters.

These details are then used to make cash withdrawals or siphon off money from card holders' accounts in what is one of the largest scams of its kind.

In an exclusive interview with The Daily Telegraph, America's counterintelligence chief said: "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary."

An organised crime syndicate is suspected of having tampered with the chip and pin machines, either during the manufacturing process at a factory in China, or shortly after they came off the production line.

In what is known as a "supply chain attack", criminals managed to bypass security measures and doctor the devices before they were dispatched from the factories where they were made.

Yat-chan and Fuku-chan are waiters at the Kaoru Otsuka sake house north of Tokyo. The two are monkeys. They bring hot towels and also serve drinks.

"We called out for more beer just then and it brought us some beer! It's amazing how it seems to understand human words," said 71-year-old retiree Miho Takikawa, who said she came to the tavern specifically to meet the monkeys.

UK Hackers Use Surveillance Images For Mischief

Britain has been crowned the most-watched society in the world. The country boasts 4.2 million security cameras (one for every 14 people). A typical Londoner makes an estimated 300 closed-circuit television (CCTV) appearances a day, an average easily met in the short walk between Trafalgar Square and the Houses of Parliament. Polls seem to reflect the public's fine with it. But how useful is CCTV in stopping crime? Not very, says Scotland Yard.

At the same time, a new class of guerrilla artists and hackers are commandeering the boring, grainy images of parking lots and corridors for their own purposes. For about $80 at any electronics store and some technical know-how, it's possible to tap into London's CCTV hotspots with a simple wireless receiver. Dubbed "video sniffing," the pastime evolved out of the days before widely available broadband, when "war-chalkers" scouted the city for unsecured Wi-Fi networks and marked them with chalk. Sniffing is catching on in other parts of Europe, as well as in New York and Brazil, spread by a small but connected community of practitioners.

"It's actually a really relaxing thing to do on a Sunday," says Joao Wilbert, a master's student in interactive media, who slowly paces the streets in London like a treasure hunter, watching a tiny handheld monitor for something to flicker onto the screen. These excursions pick up obscure, random shots from restaurants and hotel lobbies, or of a young couple shopping in a housewares department. Eerily, baby cribs are the most common images. Wireless child monitors work on the same frequency as other surveillance systems.

Google in Curious Alliance With Click-Fraud Detection Firm

In a development that would have seemed impossible two years ago, Google is cooperating publicly with Click Forensics, a click-fraud detection company with which it has had a rocky relationship.

Click Forensics said Thursday that Google has agreed to accept the electronically generated click-quality reports generated by the Click Forensics FACTr service. That means the process of documenting click-fraud instances and submitting reports to Google will be significantly automated and simplified for advertisers that use the FACTr service.

Google and Click Forensics make for strange bedfellows. The companies have sparred over the issue of click fraud, and the rhetoric has often approached ugly territory.

A top secret NSA wiretapping facility in Georgia accused of spying on Americans illegally was hastily staffed with inexperienced reservists in the months following September 11, where they worked under conflicting orders and with little supervision, according to three former workers at the spy complex.

"Nobody knew exactly what the heck we were doing," said a former translator for the project, code named Highlander, who spoke on condition of anonymity. "We were figuring out the rules as we were going along."

Former Army Reserve linguist Adrienne Kinne, who worked at the facility at Fort Gordon, won new attention this week for her year-old claim that she intercepted and transcribed satellite phone calls of American civilians in the Middle East for the National Security Agency. Senate intelligence committee chair Jay Rockefeller (D-W.Va.) opened a probe into the alleged abuses after ABC News reported on them Thursday.

Threat Level spoke with Kinne extensively last year about the alleged systematic surveillance of Americans and others operating in the Middle East following the 9/11 attacks. She provided a number of details about some of the calls and how the operation was conducted.

VeriSign and ICANN Square Off Over the DNS Root

The internet has a huge security problem that's temporarily fixed with bent paperclips and some gaffer's tape. Without concerted effort, hackers could easily spoil what little confidence remains in the internet.

In fact, cyber-criminals are already exploiting the Domain Name System hack uncovered by security researcher Dan Kaminsky this summer -– essentially setting up fake banking websites that users reach by typing in their bank's real domain name. (That's according to research by Georgia Tech's David Dagon and Internet System Consortium's Paul Vixie.)

That's why the U.S. government finally put out a call Thursday [Actually, it was Wednesday. - ferg] for comments on whether the net as a whole should adopt new security protocols called DNSSEC, and asking who should have the privilege of controlling the master keys.

Internet experts are siding overwhelmingly with ICANN, arguing that the crucial responsibility of making sure users can trust the technical equivalent of the internet's phone book belongs in the hands of the net's main oversight body.

World Bank Under Cyber Siege in 'Unprecedented Crisis' - UPDATE

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail [.pdf] to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

UPDATE: 16:45 PDT: Representatives of the World Bank are quoted in this InformationWeek article as saying that the FOX News article above "...is riddled with falsehoods and errors and cites misinformation from unattributed sources and e-mails that are taken out of context." -ferg

Thursday, October 09, 2008

UK: MoD Stunned by Massive Data Loss

A computer hard drive with the private details of a huge proportion of Armed Forces personnel is missing, The Ministry of Defence said today.

The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details, an MoD spokeswoman said.

It also has data on 600,000 potential services applicants and the names of their referees.

Officials are "not ruling out" the risk that bank account details of personnel were held on the drive, which belonged to its IT contractor EDS.

Kurtz, who served on the National Security Council in the Clinton and Bush administrations, spoke at the first open hearing on cyber security held by the House Permanent Select Committee on Intelligence. He and other experts discussed President Bush's Comprehensive National Cybersecurity Initiative, disclosed in January, which focuses on cyber espionage against government systems and, they said, does not adequately address the private sector.

There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government, said the panelists, who are members of the Center for Strategic and International Studies commission on cyber security, set up last year to advise the next administration.

Classic xkcd: Numerical Sex Positions

Quote of The Day: Toby Gabriner

"It’s not like I didn’t know that privacy was a potential third rail. None of us saw that it would become this much of an issue this quickly."

- Toby Gabriner, fomer CEO of Adzilla, a Silicon Valley start-up that has folded due to public backlash over their business model -- selling Internet users' browsing details to third-parties for the purposes of targeted advertising.

Analyst: 'Cyber War' Threat to U.S. Grows Worse

Viruses, worms, identity theft, extortion and other forms of criminal activity are not the only illicit uses of the Internet. "Malware" -- malicious software designed to exploit weaknesses in programs and the computers on which they run -- has now spawned the capability to digitally "soften up the battlefield."

The cyberattack has become a major weapon of psychological operations and information warfare in both hot and cold wars. It also will grow as a weapon of choice for transnational terrorists because it provides a relatively inexpensive means to disrupt global communications covertly and, in some cases, the ability to use our own computers against us.

Patch Tuesday: 11 Microsoft Security Updates Due Next Week

Next week will be a busy one for system administrators as Microsoft is planning to ship 11 security updates -- four of them rated critical -- for its products.

The patches will include fixes for critical security bugs in Windows Active Directory, Internet Explorer, Excel, and the Microsoft Host Integration Server, which integrates Windows computers with IBM mainframes, Microsoft said Thursday in a note on the patches.

The critical Active Directory bug affects Microsoft Windows 2000 Server, but not other versions of Windows, Microsoft said. The Excel bug affects both Windows and Mac OS X versions of the product.

There will also be six less-critical updates, rated "important," by Microsoft, for Windows, and a "moderate" patch for Office. All of these updates are expected around 10 a.m. Pacific time on Tuesday.

Study: 13% of H-1B Visa Applications Are Fraudulent

A report released Oct. 8 by the U.S. Citizenship & Immigration Services (USCIS) reveals that 13% of petitions filed for H-1B visas on behalf of employers are fraudulent. Another 8% contain some sort of technical violations.

The study, released to members of the U.S. Senate Judiciary Committee, marks the first time the agency, part of the Homeland Security Dept., has documented systematic problems with the controversial program. Technology companies, in particular, have come to rely on the H-1B visa program to bring in skilled foreign workers to fill jobs that employers claim can't be filled with U.S. candidates. Tech companies like Oracle, Microsoft, and Google have pushed to get more visas, claiming that a shortage of skilled workers is hampering U.S. competitiveness.

Critics say H-1Bs help U.S. companies replace American workers with less costly foreign workers. "The report makes it clear that the H-1B program is rife with abuse and misuse," says Ron Hira, assistant professor of public policy at the Rochester Institute of Technology. "It shows the desperate need for an auditing system." However, both Presidential candidates, Senator Barack Obama (D-Ill.) and Senator John McCain (R-Ariz.), have said they support expanding the program.

Inside Account of Abuses in U.S. Eavesdropping on Americans

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.

The chairman of the Senate Intelligence Committee, Jay Rockefeller (D-WV), called the allegations "extremely disturbing" and said the committee has begun its own examination.

"We have requested all relevant information from the Bush Administration," Rockefeller said Thursday. "The Committee will take whatever action is necessary."

"These were just really everyday, average, ordinary Americans who happened to be in the Middle East, in our area of intercept and happened to be making these phone calls on satellite phones," said Adrienne Kinne, a 31-year old US Army Reserves Arab linguist assigned to a special military program at the NSA's Back Hall at Fort Gordon from November 2001 to 2003.

Kinne described the contents of the calls as "personal, private things with Americans who are not in any way, shape or form associated with anything to do with terrorism."

Fast-Flux: How Botnets Use 'Bullet-Proof' Domains

That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study [.pdf].

The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.

A 22-year-old Romanian national pleaded guilty yesterday in federal court to possessing unauthorized credit card numbers in connection with an Internet “phishing” scheme to collect personal information of individuals and sell it.

On Oct. 6 in Minneapolis, Sergiu Daniel Popa pleaded guilty to one count of possession of 15 or more unauthorized access devices and one count of aggravated identity theft. He was indicted on June 19, 2007, and entered his plea before United States District Court Judge John Tunheim. Popa was extradited to the U.S. from Spain in June.

According to Popa’s plea agreement, from June 2000 through February 2007 Popa resided in New York and Michigan, and maintained two e-mail accounts. Popa used the accounts to harvest, via the phishing scheme, personal identification and financial information, such as names, addresses, bank account numbers, credit card numbers, Social Security account numbers, and personal identification numbers of thousands of individuals, including some Minnesota residents.

In Popa’s scheme, he created fraudulent e-mails and fraudulent websites to appear as if they were authorized by legitimate entities. As the defendant intended, pursuant to his scheme, those victims who received his e-mails and went to his websites were tricked into providing their personal identification and financial information, believing that a legitimate institution had requested the information.

Image of The Day: 'That One'

Hacker's List of Online Accounts Spooks Users

When Australian web users learned from the Herald that details of their online accounts [.pdf] had been posted on a hacker's website for all to see, they were suspicious, then alarmed, then furious at the hacker who compromised their identities.

Email addresses, matched with user names and passwords for online memberships, were offered by the hacker for anyone wanting to try their hand at identity theft or even financial fraud.

The Herald stumbled across the site during its investigations into online fraud. "It's obviously startling," said Lachlan Yee, a research associate in biotechnology at the University of NSW and one of those whose details were exposed by the hacker.

U.S. Commerce Dept. Asks The World to Comment on Its Plans to Retain Control of The Root

The U.S. Commerce Department used its presence at a French conference on the “Internet of things” to announce that it will hold a public consultation on the different proposals to digitally encrypt the DNS root zone file, so that it can serve as the trust anchor for global DNSSEC implementation. The call for public comment will be released later this week. The announcement was made by NTIA's Meredith Attwell Baker, who encouraged other governments to participate in the domestic US proceeding.

The announcement occurred after NTIA prevented ICANN, the supposedly independent, global, "bottom up" administrator of the DNS, to hold its own public consultation. Also, DoC says it is awaiting a proposal from ICANN regarding “automation” of certain root functions. ICANN's Paul Twomey, who was on the same panel, declined comment on anything NTIA said; apparently the gag order still holds.

Australia: 'Million Dollar Network Sabotage'

Authorities said they still had no motive for the alleged sabotage, which brought down Northern Territory Supreme Court, Parliament House, Darwin prison and Royal Darwin Hospital servers, rendering them "unusable".

David Anthony McIntosh, 28, of Palmerston, did not make any money from his cyber hit, crown prosecutor David Brustman said.

"It was simply an act of spite and vengeance, which came about from his disaffection, either with his employment or, indeed, the world at large," he said.

Mr Brustman said the attack also wiped 10,475 public servants from existence - and crisis teams were flown from interstate to fix the mess.

He said the damage and costs of the hacking effort were as yet unknown, but it was estimated to have run into "the millions of dollars".

Mr McIntosh - former server engineer with CSG Services, which operates NT Government computer systems - is accused of using a fellow workmate's computer and accessing her internal log-on details to carry out his attack.

Chertoff Urges Caution on Potential of New Cyber Security Laws

Policy-makers and Congress should “proceed in a measured way” as they consider passing new laws or granting new authorities aimed at improving cybersecurity, the head of the Homeland Security Department said Wednesday.

DHS Secretary Michael Chertoff said he believes government has sufficient authority under current law to protect government and military assets. He also said that when working with the private sector on cybersecurity the government should “make sure we are invited in rather than pushing our way in.”

DHS plays a prominent role in the government’s multiyear, multibillion-dollar national cybersecurity initiative, which the administration launched earlier this year. The department is responsible for securing the .gov domain and is heading up efforts to work with private industry on the task. Meanwhile, the Defense Department is tasked with protecting the .mil domain and the Intelligence Community is responsible for its domain.

DHS' new National Cybersecurity Center (NCSC) will bring together officials from DOD, DHS, the Office of the Director of National Intelligence and the Justice Department physically and virtually to coordinate operational efforts.

Tennessee Student Indicted for Hacking Palin E-Mail

David Kernell, the 20-year-old Tennessee student who has been under suspicion for allegedly obtaining unauthorized access into Alaska Gov. Sarah Palin's private Yahoo e-mail account, has been indicted by a federal grand jury in Tennessee.

According to a Justice Department spokeswoman, the grand jury returned the sealed indictment Tuesday afternoon, and Kernell turned himself into the FBI this morning, after which the indictment was unsealed. Kernell is being arraigned in Tennessee today. A trial date has been set for December 16.

Kernell, who is the son of Tennessee Democratic state representative Mike Kernell, is indicted on one felony count of violating the Computer Fraud and Abuse Act.

Maryland Police Put Activists' Names On Terror Lists

The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday.

Police Superintendent Terrence B. Sheridan revealed at a legislative hearing that the surveillance operation, which targeted opponents of the death penalty and the Iraq war, was far more extensive than was known when its existence was disclosed in July.

The department started sending letters of notification Saturday to the activists, inviting them to review their files before they are purged from the databases, Sheridan said.

"The names don't belong in there," he told the Senate Judicial Proceedings Committee. "It's as simple as that."

The surveillance took place over 14 months in 2005 and 2006, under the administration of former governor Robert L. Ehrlich Jr. (R). The former state police superintendent who authorized the operation, Thomas E. Hutchins, defended the program in testimony yesterday. Hutchins said the program was a bulwark against potential violence and called the activists "fringe people."

Tuesday, October 07, 2008

Toon of The Day: The President of NBC

Broader FBI Powers Now Set in Stone

Wall Street's $700 billion bailout reasonably dominated the news cycle last week. But something else occurred on Friday just as Washington prepared to leave for the weekend, and the announcement has civil libertarians in an uproar.

Elements of the proposed changes generated attention after Democratic lawmakers heard testimony about them in August and worried publicly in a letter to the Attorney General's Office that they could lead to abuse. The Justice Department also presented the changes to advocacy groups inviting the American Civil Liberties Union, the Electronic Privacy Information Center and others to read but not copy them before they were released.

Attorney General Michael Mukasey and FBI Director Robert Mueller then declared in a joint statement Friday that they'd "consulted" with civil liberties groups and Congress prior to making the changes final implying that the effort was supported across the political spectrum.

Report Warns U.S. Could Lose Space-Spy Dominance

America has become so lousy at building spy satellites that "the United States is losing its preeminence in space," a Congressional intelligence report declares. What's worse, this decline comes as "emerging space powers such as Russia, India and China" are getting better and better at snooping from above.

The gloomy report, approved last Friday by the House's technical and tactical intelligence subcommittee, was originally obtained by CQ scoopster Tim Starks. "A once robust partnership between the U.S. Government and the American space industry has been weakened by years of demanding space programs, the exponential complexity of technology, and an inattention to acquisition discipline," the document states.

Air Force Pursues Cyber Command (Again)

Top Air Force leadership has decided to pursue forming Cyber Command to defend Defense Department networks and to launch cyberattacks against foes after putting the project on hold in August.

The service's leadership, including Air Force Secretary Michael Donley and Chief of Staff Gen. Norton Schwartz, made the decision last week at the Corona senior leadership conference in Colorado Springs, Colo., to continue its effort to stand up the command, said Capt. Michael Andrews, an Air Force spokesman.

The service put Cyber Command on hold in August, saying it wanted to delay the program until new senior Air Force leaders, including Schwartz, had time to make a final decision on the scope and mission of the command. Last month, sources said the Pentagon decided that the U.S. Strategic Command in Omaha, Neb., should create and run a joint Cyber Command, a move that seemingly dashed any hopes the Air Force had to own Defense's cyber responsibilities.

Adobe Issues Security Advisory on Flash Clickjacking

[Adobe has...] just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog.

This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.

Scammers Introduce ATM Skimmers With Built-In SMS Notification

The bust of the notorious ATM scammer going under the handle of Cha0 in early September, once again puts ATM skimming in the spotlight. Among the main insecurities scammers face while embedding an ATM skimmer, is the retrieval process of the device that is now containing the credit card details of several hundred people depending on the volume of transactions that occurred while the device was in place. How are then scammers going to minimize the risk of getting caught without having to come back at the crime scene?

A recently uncovered serial manufacturer of ATM skimmer devices, seems to have solved the secure retrieval of the device issue by innovating, and introducing ATM skimmers that would automatically SMS the complete credit card details to the scammer.

Not Much Genius in DHS's Einstein 3.0 Plan

Michael Chertoff, head of the Department of Homeland Security, is back in the headlines with comments on Einstein 3.0, the department's latest effort to protect cyberspace. Sadly, as I read through the articles, the only thing I could think of were bad jokes.

Let me give one example. Chertoff states the system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."

To judge from recent personnel appointments, it's pretty clear Chertoff doesn't much value technical experience where cyber-security is concerned. So I'd like to introduce him to the concept of a firewall. For the unaware, these are common products, available for more than a decade, and are included already in many operating systems. They prevent attacks from reaching their targets.

Despite the administration's demonstration that they don't value security experience, they really cannot be this naïve. At least I hope not.

Counterterrorist Data Mining Needs Privacy Protection - UPDATE

In a sweeping new report that examines the balance between security and privacy, The National Research Council (NRC) recommends that the U.S. government re-think its approach to counterterrorism in light of the privacy risks posed by unchecked data mining and behavioral surveillance.

The NRC report, "Protecting Individual Privacy in the Struggle Against Terrorists," is the culmination of three years of discussions and research aimed at providing the government with a framework for thinking about existing and future information-based counterterrorism programs. Former U.S. Secretary of Defense William Perry co-chaired the study committee.

The proposed framework represents an attempt to address privacy concerns that have dogged past counter-terrorist data mining programs like Total Information Awareness.

The report acknowledges the utility of a variety of technologies in the context of security, but cautions that counterterrorism programs need to be operated lawfully, with oversight, and with some recognition of the limits of technology.

Programming Note: Light Posting

Hi folks.

As you may have already noticed, posting to the blog was rather light yesterday, due my feeling rather poorly. I'm hoping that I'll feel better tomorrow, but as it stands right now, I figure it might be a repeat of today.

I'll post when I can, but in the meantime, apologies for the scarcity of posts to the blog.

Judge's Top Secret Decision Blocks Sale of DVD-Copying Software

A federal judge has issued a secret, interim order blocking the sale of RealNetworks' DVD-copying software, RealDVD, two sources said Monday.

In an unusual move, the judge presiding over the MPAA's federal copyright lawsuit against RealNetworks also instructed both parties not to disclose the existence of the restraining order to the public.

U.S. District Judge Marilyn Hall Patel, who previously presided over the original Napster litigation, issued the tentative decision late Friday, the sources said. As of this writing, the electronic court docket does not reflect a sealed decision in the case, although RealNetworks informed consumers on its website that, "Due to recent legal action taken by the Hollywood movie studios against us, RealDVD is temporarily unavailable."

Defense Tech: Relocating NORAD Facilities Fraught With Security Risks

Critics say a decision two years ago to move the operations center of the North American Aerospace Defense Command (NORAD) to the basement of an office building on Peterson Air Force Base in nearby Colorado Springs and to disperse other missions at the mountain could undermine U.S. national security.

According to military and defense sources familiar with the missions and U.S. government documents obtained by The Washington Times, the move — billed as a cost-cutting measure — received insufficient government review, violated previous Pentagon directives, may have broken U.S. law and has left the United States less able to track potential threats and the operations center more vulnerable to attack.

"We see decisions like closing Cheyenne Mountain that are driven for cost purposes only, not military requirements," said Retired Air Force Lt. Gen. Thomas G. McInerney. "Cheyenne Mountain should remain an active facility but cost pressures are driving combatant commanders to make riskier decisions."

UK: Government Will Spy On Every Call And e-Mail

Ministers are considering spending up to £12 billion on a database to monitor and store the internet browsing habits, e-mail and telephone records of everyone in Britain.

GCHQ, the government’s eavesdropping centre, has already been given up to £1 billion to finance the first stage of the project.

Hundreds of clandestine probes will be installed to monitor customers live on two of the country’s biggest internet and mobile phone providers - thought to be BT and Vodafone. BT has nearly 5m internet customers.

Ministers are braced for a backlash similar to the one caused by their ID cards programme. Dominic Grieve, the shadow home secretary, said: “Any suggestion of the government using existing powers to intercept communications data without public discussion is going to sound extremely sinister.”